The Hacker News — Cyber Security, Hacking, Technology News

WannaCry, the biggest ransomware attack in the history, gained prominence very rapidly in the media globally after the ransomware infected more than 300,000 computers in over 150 countries within just 72 hours.

Governments, Intelligence agencies and law enforcement around the world have already started their investigations and are working closely with affected companies to track down hackers responsible for the global cyber attack launched on Friday, 12th May.

If you have been following WannaCry coverage on The Hacker News, you should be aware of that the WannaCry ransomware uses Tor hidden service to communicate with its command-and-control server.

Just yesterday, we came to know that French authorities had seized at least 6 Tor's entry guard node servers, hosted on France-based hosting providers, just two days after the outbreak of ransomware attack while investigating the WannaCry incident.

On 15th May, a French hacktivist, who uses online moniker ‘Aeris,’ informed Tor community that the official from Central Office for Combating Crime Related to Information and Communication Technologies (OCLCTIC) raided the Online.net hosting provider and have seized his "kitten1" and "kitten2" (torguard and fallback directory) servers on 14th May.

"Cops raided OVH, Online.net and FirstHeberg hosting providers on the basis of a complaint filed by French Renault company that was one of the victims of the WannaCry infection," Aeris told The Hacker News.

"I went to court to have access to information about the seizer of my servers, but it refused to provide me with any information, and even the providers are under gag order."

Aeris told THN that he is aware of the seizer of total 6 Tor relays, operated by 5 operators.

Perhaps nobody was aware of the takedown of these servers in question until the author of Deepdotweb first reported about this incident on Saturday.

Aeris also claimed that the French authorities had taken this action after a victim company (possibly Renault, a France-based multinational automobile manufacturer) contacted the agency for help and provided network traffic logs to assist the investigation.

Since the Tor nodes have been securely implemented to protect the privacy of Tor users and no actual data had been retained on them, the law enforcement authorities would hardly find any evidence related to the WannaCry gang.

"Private key are under encrypted volume and may be protected, but please revoke immediately kitten1 & kitten2 tor node. Those nodes are also fallback directory." Aeris warned.

WannaCry epidemic that hit victims worldwide was using self-spreading capabilities to infect vulnerable Windows computers, particularly those using older versions of the operating system.

While most of the affected organisations have now returned to normal, law enforcement agencies across the world are still on the hunt.

Researchers have discovered over 100 malicious nodes on the Tor anonymity network that are "misbehaving" and potentially spying on Dark Web sites that use Tor to mask the identities of their operators.

Two researchers, Amirali Sanatinia and Guevara Noubir, from Northwestern University, carried out an experiment on the Tor Network for 72 days and discovered at least 110 malicious Tor Hidden Services Directories (HSDirs) on the network.

The nodes, also known as the Tor hidden services directories (HSDirs) are servers that act as introductory points and are configured to receive traffic and direct users to hidden services (".onion" addresses).

In other words, the hidden services directory or HSDir is a crucial element needed to mask the true IP address of users on the Tor Network. But, here’s the issue:

HSDir can be set up by anyone.

"Tor's security and anonymity is based on the assumption that the large majority of its relays are honest and do not misbehave," Noubir says. "Particularly the privacy of the hidden services is dependent on the honest operation of hidden services directories (HSDirs)."

The pair introduced around 1,500 honeypot servers, which they called HOnions (Honey Onions), running a framework to expose "when a Tor relay with HSDir capability has been modified to snoop into the hidden services that it currently hosts."

Over 100 Malicious Tor Nodes Snooping Dark Web Users

After the experiment, conducted between February 12, 2016, and April 24, 2016, the researchers gathered and analyzed all the data, revealing they identified at least 110 malicious HSDirs, most located in the US, Germany, France, UK and the Netherlands.

Over 70 percent of these 110 malicious HSDirs were hosted on professional cloud infrastructures, making it hard to learn who is behind the malicious nodes.

Furthermore, 25 percent of all 110 malicious HSDirs functioned as both HSDir and Exit nodes for Tor traffic, allowing the malicious relays to view all unencrypted traffic, conduct man-in-the-middle (MitM) attacks, and snoop on Tor traffic.

The paper, "Honions: Towards Detection and Identification of Misbehaving Tor HSDirs," [PDF] describes the researchers work in detail and will be presented next week at the DEF CON security conference.

New Tor Design to Strengthen Tor Hidden Services

The researchers say Tor Project is aware of the HSDir issue and is working to identify and remove malicious HSDirs from the network.

"As far as we can tell, the misbehaving relays' goal in this case is just to discover onion addresses that they wouldn't be able to learn other ways—they aren't able to identify the IP addresses of hosts or visitors to Tor hidden services," the Tor Project says in its blog.

Although Tor Project is working to remove malicious HSDirs, the long-term solution is a new design for hidden services: Mission: Montreal!

The code of the new design has been written, but a release date is still to be finalized, as the project says, "Tor developers finished implementing the protocol several months ago, and since then we've been reviewing, auditing, and testing the code."

According to the Tor developers, the new design will deploy a distributed random generation system that has "never been deployed before on the Internet."

Tor Users: Target of Government Hacks

Attacks on Tor are nothing new for Tor Project. This research is the latest indication for hidden services and Tor users that the network can not ultimately guarantee their anonymity.

The researchers canceled their talk demonstrating a low-cost way to de-anonymize Tor users at 2014’s Black Hat hacking conference with no explanation. The project has since patched the issues that made the FBI's exploit possible.

Recently, the MIT researchers have created Riffle – a new anonymity network that promises to provide better security against situations when hackers introduce rogue servers on the network, a technique to which TOR is vulnerable, though it is a long way from becoming reality.

Another blow to the Tor Project: One of the Tor Project's earliest contributors has decided to quit the project and shut down all of the important Tor nodes under his administration.

Lucky Green was part of the Tor Project before the anonymity network was known as TOR. He probably ran one of the first 5 nodes in the TOR network at its inception and managed special nodes inside the anonymity network.

However, Green announced last weekend that "it is no longer appropriate" for him to be part of the Tor Project, whether it is financially or by providing computing resources.

TOR, also known as The Onion Router, is an anonymity network that makes use of a series of nodes and relays to mask its users' traffic and hide their identity by disguising IP addresses and origins.

The TOR network is used by privacy-conscious people, activists, journalists and users from countries with strict censorship rules.

Crucial and Fast TOR Nodes to be Shut Down Soon

Alongside a number of fast Tor relays, Green currently runs the Tor node "Tonga," very well known as the "Bridge Authority."

Bridge Authorities are critical network components that have their IP addresses hard-coded in the TOR apps, allowing the anonymity network to prevent various bans and blocking attempts at the ISP level. These nodes also hold critical data regarding other TOR nodes.

Moreover, since all Tor servers added to the anonymity network report back to one of the Bridge Authorities, shutting down the Bridge Authority will need an update to the TOR code.

So, practically, Lucky Green's exit from the Tor Project is a big deal.

Green didn't give the exact reason behind his decision to leave the Tor Project, though he hinted that "recent events" lead to his exit. Here's what he said:

"I feel that I have no reasonable choice left within the bounds of ethics, but to announce the discontinuation of all Tor-related services hosted on every system under my control. I wish the Tor Project nothing but the best moving forward through those difficult times."

Although it is not clear, the recent event could be the result of the turmoil in the Tor Project, which surfaced whenJacob Appelbaum forced to leave the Tor Project amid some serious sexual allegations. Appelbaum strongly denies these accusations, but still decided to step down.

Green is not immediately closing down these crucial TOR nodes. He will shut down these nodes, as well as their associated cryptographic keys, on August 31, giving the Tor developers enough time to update their network.

Mozilla has filed a brief with a U.S. District Court asking the FBI to disclose the potential vulnerabilities in its Firefox browser that the agency exploited to unmask TOR users in a criminal investigation.

Last year, the FBI used a zero-day flaw to hack TOR browser and de-anonymize users visiting child sex websites.

Now, Mozilla is requesting the government to ask the FBI about the details of the hack so that it can ensure the security of its Firefox browser.

TOR is an anonymity software that provides a safe haven to human rights activists, government, journalists but also is a place where drugs, child pornography, assassins for hire and other illegal activities has allegedly been traded.TOR Browser Bundle is basically an Internet browser based on Mozilla Firefox configured to protect the user's anonymity via Tor and Vidalia.

In 2015, the FBI seized computer servers running the world’s largest dark web child pornography site ‘Playpen’ from a web host in Lenoir, North Carolina. However, after the seizure, the site was not immediately shut down.

Instead, the FBI agents continued to run Playpen from its own servers in Newington, Virginia, from February 20 to March 4. During that period, the agency deployed its so-called Network Investigative Technique (NIT) to identify the real IP addresses of users visiting this illegal site.

Recently, an investigation revealed that Matthew J. Edman, a former employee of TOR Project, created malware for the FBI that has been used by US law enforcement and intelligence agencies in several investigations to unmask Tor users.

The FBI hacked more than a thousand computers in the US alone and over three thousand abroad. The Internet Service Providers (ISPs) were then forced to hand over the target customer’s details, following their arrest.

Two months back, a judge ordered the FBI to reveal the complete source code for the TOR exploit that not only affected the Tor Browser, which would have likely been used to hack visitors of PlayPen, but also Firefox.

Here’s what Mozilla’s top lawyer Denelle Dixon-Thayer explained in a blog post:

"The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser. At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base."

Mozilla has now filed a motion with a US district court in Washington, asking the government to disclose the vulnerability within 14 days before any disclosure to the Defendant requiring the FBI to hand over the source code of the exploit to the defense team.

It is because Mozilla wants time to analyze the vulnerability, prepare a patch, and update its products before any malicious actor could exploit the flaw to compromise its Firefox browser, which is being used by millions of people.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

In Brief

According to an investigation, Matthew Edman, a cyber security expert and former employee of the Tor Project, helped the FBI with Cornhusker a.k.a Torsploit malware that allowed Feds to hack and unmask Tor users in several high-profile cases, including Operation Torpedo and Silk Road.

Do you know who created malware for the FBI that allowed Feds to unmask Tor users?

It's an insider's job… A former Tor Project developer.

In an investigation conducted by Daily Dot journalists, it turns out that Matthew J. Edman, a former part-time employee of Tor Project, created malware for the Federal Bureau of Investigation (FBI) that has been used by US law enforcement and intelligence agencies in several investigations, including Operation Torpedo.

Matthew Edmanis a computer scientist who specializes in cyber security and investigations and joined the Tor Project in 2008 to build and enhance Tor software's interactions with Vidalia software, cross-platform GUI for controlling Tor.

After 2009, Matthew was hired by a contractor working for defense and intelligence agencies, including the FBI, to develop an anti-Tor malware.

The Tor Project has also confirmed the same, saying, "It has come to our attention that Matt Edman, who worked with the Tor Project until 2009, subsequently was employed by a defense contractor working for the FBI to develop anti-Tor malware."

Cases Solved with the Help of Former Tor Developer

Since 2012, Edman has been working at Mitre Corporation as a senior cyber security engineer assigned to the FBI's internal team, dubbed Remote Operations Unit, that develops or purchases exploits and hacking tools for spying on potential targets.

Due to his work for the Tor Project, Edman became an FBI contractor assigned a task to hack Tor as part of Operation Torpedo, a sting operation to identify owners and patrons of Dark Net child pornography websites that used Tor.

Besides working on Operation Torpedo, Edman also helped the federal agency shut down Silk Road, the first most popular DarkNet drug marketplace, and arrest its convicted creator Ross Ulbricht.

According to testimony, it was Edman who did almost everything from tracking $13.4 Million in Bitcoins from Silk Road to tracing Ulbricht's laptop, which played a significant role in Ulbricht being convicted and sentenced to the life term in prison.

Cornhusker/Torsploit Malware to Unmask Tor Users

To unmask Tor users, Edman worked closely with FBI Special Agent Steven A. Smith to develop and deploy malware, dubbed "Cornhusker" or "Torsploit," that collect identifying information on Tor users.

Tor is an anonymity software used by millions of people, including government officials, human rights activists, journalists and, of course, criminals around the world to keep their identity hidden while surfing the Internet.

This is why, the Tor software is used by people to visit Dark Net websites, like child pornography sites, which are inaccessible via standard web browsers.

The agency hijacked and placed Cornhusker on three servers that ran multiple anonymous child pornography websites. The malware then targeted the flaws in Flash inside the Tor Browser.

Adobe Flash Player has long been considered as unsafe by many security experts, and the Tor Project has long warned against using it. However, many people, including the dozens revealed in Operation Torpedo, make use of Flash inside their Tor Browser.

Though, according to court documents, Cornhusker is no longer in use, the FBI is using its own funded "Network Investigative Technique" (NIT) to obtain IP and MAC addresses of Tor users in the course of investigations.

However, the so-called network investigative technique has been considered as invalid by the court during a hearing on the burst of the world’s largest dark web child pornography site, PlayPen.

On Monday, the opposition lawyers have filed a motion against the FBI to reveal the full source code of the malware it used to hack suspected visitors of PlayPen, or simply drop the case.

A year old loophole in Apache Web Server, uncovered by an unknown Computer Science Student, could potentially unmask the real identity of .onion-domains and servers hidden behind the Tor-network.

Although the loophole was reported on Reddit and to the Tor Project months back, it recently came to the limelight soon after a tweet by Alec Muffet, a well-known security enthusiast and current software engineer at Facebook.

What is Tor Hidden (.onion) Service? Dark Web websites (generally known as 'onion services') with a special domain name that ends with .onion, are called Tor Hidden Service and reachable only via the Tor network.

Tor Hidden Service is a widely popular anonymity network used by Whistleblowers, Underground Markets, Defense Networks and more in order to maintain secrecy over the Internet.

An Onion Website can be hosted on the top of any web servers. But, if you are choosing Apache, then you need to rethink.

Apache Misconfiguration Exposes Tor Hidden Servers

According to the report, most distributions of Apache Server ship with mod_status module, enabled by default, which could disclose the real identity of the .onion domains, placing the Onion Servers at risk of being identified.

Apache's mod_status module helps server administrators to monitor the health of web server with an HTML interface and is accessible via a web browser on its localhost only.

The Output of this module would be available on every server when accessing the URL: http://website.com/server-status/

However, running mod_status module with Tor hidden service may result in exposing ‘server-status’ page to the world via Tor daemon service.

This page would spit the sensitive backend data like server's settings, uptime, resource usage, total traffic, virtual hosts, and active HTTP requests if enabled by default which is enough to figure out the Server location.

"What could a malicious actor do in that case? They could spy on potentially sensitive requests," reads the blog post regarding the issue. "They could deduce the server's approximate longitude if the timezone is set. They could even determine its IP address if a clearnet Virtual Host is present."

How to Disable mod_status on Apache

Now, if you run a .onion domain on top of any Apache Server, then make sure that the mod_status is disabled.

For this, you may need to run this code in shell command:-

sudo ap2dismod status

Where,

"ap2" stands for Apache 2.x

"dis" stands for disable

"mod" stands for module

Soon after this, if you reload, then you would be prompted by a 403 or 404 Error Prompt. The Error message would ensure that you are no longer vulnerable to that Risk.